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-Abstract- 

In a recent work, we introduced four variants of diagnosability (FA, IA, FF, IF) in (finite) probabil¬ 
istic systems (pLTS) depending whether one considers (1) finite or infinite runs and (2) faulty or 
all runs. We studied their relationship and established that the corresponding decision problems 
are PS PACE-complete. A key ingredient of the decision procedures was a characterisation of 
diagnosability by the fact that a random run almost surely lies in an open set whose specification 
only depends on the qualitative behaviour of the pLTS. Here we investigate similar issues for 
infinite pLTS. We first show that this characterisation still holds for FF-diagnosability but with 
a Gs set instead of an open set and also for IF- and lA-diagnosability when pLTS are finitely 
branching. We also prove that surprisingly FA-diagnosability cannot be characterised in this 
way even in the finitely branching case. Then we apply our characterisations for a partially ob¬ 
servable probabilistic extension of visibly pushdown automata (POpVPA), yielding EXPSPACE 
procedures for solving diagnosability problems. In addition, we establish some computational 
lower bounds and show that slight extensions of POpVPA lead to undecidability. 

1 Introduction 

Diagnosis. Monitoring (hardware and/or software) systems prone to faults involves several 
critical tasks: controlling the system to prevent faults as much as possible, deducing the cause 
of the faults, etc. Most of these tasks assume that an observer has the capability to assess the 
status of the current run based on the outputs of the system: providing information about 
the possible occurrence of faults. Such an observer is called a diagnoser and its associated 
task is called diagnosis. This framework leads to interesting decision and synthesis problems: 
“Does there exist a diagnoser?” and in the positive case “How to build such a diagnoser?”, 
“Which kind of diagnoser is sufficient?”, etc. The decision problem, on which we focus here, 
is called diagnosability [14]. 

Diagnosis of discrete event systems. In order to formally reason about diagnosability, the 
systems were first modelled by finite labelled transition systems (LTS). Then the specification 
of a diagnoser is defined by two requirements: correctness , meaning that the information 
provided by the diagnoser is accurate, and reactivity , ensuring that a fault will eventually 
be detected. Within the framework of finite LTS, the decision problem was shown to be 
solvable in PTIME [9] and it is in fact NLOGSPACE-complete. 

Diagnosis of probabilistic systems. A natural way of modelling partially observable 
systems consists in introducing probabilities ( e.g. when the design is not fully known or 
the effects of the interaction with the environment is not predictible). Thus the notion 
of diagnosability was later extended to Markov chains with labels on transitions, also 
called probabilistic labelled transition systems (pLTS) [15]. In this context, the reactivity 
requirement now asks that faults will be almost surely eventually detected. Regarding 
correctness, two specifications have been proposed: either one sticks to the original definition 
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and requires that the provided information is accurate, defining A-diagnosability, or one 
weakens the correctness by admitting errors in the provided information that should, however, 
have an arbitrary small probability defining AA-diagnosability. From a computational 
viewpoint, we recently proved that A-diagnosability is PS PACE-complete [3] and that AA- 
diagnosability can be solved in PTIME [4]. 

In case a system is not diagnosable, one may be able to control it, by forbidding some 
controllable actions, so that is becomes diagnosable. This property of active diagnosability has 
been studied for discrete-event systems [13, 8], and for probabilistic systems [2]. Interestingly, 
the diagnosability notion in the latter work slightly differs from the original one in [15]. 
Building on this variation, in [3] semantical issues have been investigated and four relevant 
notions of diagnosability (FA, IA, FF, IF) have been defined depending on (1) whether one 
considers finite or infinite runs and (2) faulty or all runs. In finite pLTS, it was shown that 
all these notions can be characterized by the fact that a random run almost surely lies in an 
open set, whose specification only depends on the qualitative behaviour of the pLTS. 
Diagnosis of infinite-state systems. Diagnosability in infinite-state systems has been 
studied, on the one hand for restricted Petri nets [5], for which an accurate diagnoser can 
be designed, and on the other hand for visibly pushdown automata (VPA) [11], for which 
diagnosability can be decided via the determinisation procedure of [1]. However to the best 
of our knowledge diagnosis of probabilistic infinite-state systems has not yet been studied. 
Contributions. The characterisations of diagnosability established in [3] strongly relied 
on the finiteness of the models. Our first aim is thus to establish characterisations in the 
infinite-state case. FF-diagnosability (the original notion of diagnosability) states that almost 
surely a faulty run will be detected in finite time. We establish that FF-diagnosability 
can be characterised by the fact that a random run almost surely lies in a G$ set, only 
depending on the qualitative behaviour of the system. This characterisation also applies 
to I F-diagnosability for finitely-branching systems, since then the two notions coincide. An 
ambiguous infinite correct (resp. faulty) run is a run indistinguishable from a faulty (resp. 
correct) run. I A-diagnosability states that almost surely a run is unambiguous. The set 
of ambiguous runs is an analytic set (so a priori not known to be a Borel set). However 
in the finitely-branching case, we establish that the set of unambiguous runs is a Gs set, 
yielding a characterisa tion of I A-diagnosability. FA-diagnosability states that the probability 
that a finite run is unambiguous goes to 1 when its length goes to infinity. Surprisingly, 
despite the fact that I A-diagnosability and FA-diagnosability are very close, we prove that 
FA-diagnosability cannot be characterised by the fact that a random run almost surely lies in 
a Gs set. Furthermore we strengthen this result by another inexpressivess result also related 
to FA-diagnosability. 

We then introduce partially observable probabilistic visibly pushdown automata (POpVPA), 
a model generating infinite-state probabilistic systems. We show how to exploit the above 
characterisations to design a decision procedure for diagnosability in POpVPA. More precisely 
we show that we can “encode” our characterisations in an enlarged probabilistic VPA and 
then exploit the decision procedures of [7] leading to an EXPSPACE algorithm. Since our 
characterisations are not regular, this requires some tricky machinery. Finally we complete 
this work by exhibiting an EXPTIME lower-bound and showing that slight extensions of 
POpVPA lead to undecidability of the diagnosability problem. 

Organisation. In Section 2, we successively introduce probabilistic infinite-state systems, 
equip them with partial observation and faults, and define diagnosability notions. In Section 3, 
we establish characterisations of the diagnosability notions and inexpressiveness results. We 
exploit the characterisations to design decision procedures for POpVPA in Section 4, also 
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proving hardness and undecidability results. We conclude and give some perspectives in 
Section 5. All the proofs are given in Appendix. 

2 Diagnosis specifications of infinite-state probabilistic systems 
2.1 Probabilistic labelled transition systems 

Probabilistic labelled transition systems (pLTS) are labelled transition systems equipped 
with probability distributions on transitions outgoing from a state. 

► Definition 1. A pLTS is a tuple A4 = (Q,go,S,T, P) where: 

h Q is a finite or countable set of states with qo e Q the initial state; 
b S is a finite set of events; 
h TcQxSxQisa set of transitions; 

P : T -*■ Q>o is the transition probability fulfilling: Vg e Q, E( 9>a> g')eT P[<b d, q'] = 1. 

Given a pLTS A4, the transition relation of the underlying LTS C is defined by q q' 
for ( q,a,q r ) € T; this transition is then said to be enabled in q. In order to emphasise the 
relation between the pLTS and the LTS, we sometimes write M = (£, P). Note that since we 
assume the state space to be at most countable, a pLTS is by definition at most countably 
branching: from every state q, there are at most countably many transitions enabled in q. 

► Example 2. The pLTS of Figure 1 represents a server that accepts jobs (event in) until it 
randomly decides to serve the jobs (event serve). When a job is done the result is delivered 
(event out). When all jobs are done, the server waits for a new batch of jobs. However 
randomly, the server may trigger a fault (event f) and then abort all remaining jobs (event 
abort). Afterwards, the server is reset (event reset). In the figure, the label of a transition 
(g, a, q') is depicted as P[g, a, q'] ■ a. 


1 • reset 


Figure 1 An infinite-state pLTS. 

Let us now introduce some important notions and notations that will be used throughout 
the paper. A run p of a pLTS A4 is a (finite or infinite) sequence p = goaogi ... such that 
for all i, qi € Q 1 ai € £ and when qt +1 is defined, g,; -A- qi+\. The notion of run can be 
generalised, starting from an arbitrary state q. We write SI for the set of all infinite runs of 
M starting from go, assuming the pLTS is clear from context. When it is finite, p ends in 
a state q and its length , denoted |/?|, is the number of events occurring in it. Given a finite 
run p = goaogi ... q n and a (finite or infinite) run p' = q n a n q n+ 1 ..., we call concatenation of 
p and p' and we write pp' the run q^a^qi... q n a n q n+ 1 ...; the run p is then a prefix of pp', 
which we denote p < pp'. The cylinder defined by a finite run p is the set of all infinite runs 
that extend p: C(p) = {p 1 € | p < p'}. Cylinders are a basis of open sets for the standard 

topology on the set of runs (which can be viewed as an infinite tree). One equips a pLTS 
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with a probability measure on i! with cr-algebra being B , the set of Borel sets, and which is 
uniquely defined by Caratlreodory’s extension theorem from the probabilities of the cylinders: 

F(C(q 0 a 0 qi • • •<?«)) = P[<?o,ai,gi]—P[g„-i,a„-i, q n ] ■ 

We will sometimes omit the C and write P(p) for P(C'(p)). It is well-known that once the 
measure is fixed, one can enlarge the set of of measurable sets by considering the smallest 
cr-algebra containing B and the “null” sets: {A | 3 B e B Aq B a P (B) = 0} and then extend 
the original measure to a (complete) measure on this enlarged cr-algebra. We consider this 
measure in the sequel. 

The sequence associated with p = qaoqi ... is the word a p = aoai..., and we write 
indifferently q or q —A* (resp. q *q' or q —>■*q') for an infinite (resp. finite) run p. A 
state q is reachable (from q 0 ) if there exists a run such that qo *q , which we alternatively 
write qo —’■*<?■ The (infinite) language of pLTS A4 consists of all infinite words that label 
runs of A4 and is formally defined as IA (A!) = {cr€ £ w | q 0 } 

2.2 Partial observation and faults 

The observation of a pLTS is given by a mask function. This function projects every event 
to its observation. This observation is partial as an event can have no observation or shares 
its observation with another event, but it is deterministic. 

► Definition 3. A partially observable pLTS (POpLTS) is a tuple M = consisting 

of a pLTS M. equipped with a mapping V : £ -* £ 0 u (e) where £ 0 is the set of observations. 

Note that our setting generalises most existing frameworks of fault diagnosis by considering 
a mask function V onto a possibly different alphabet rather than a partition of the event 
alphabet into observable and unobservable events. An event a e £ is said unobservable if 
V(a) = £, fully observable if V(a) + e and V^ 1 ({V{a)}) = {a} and partially observable if 
V(a) t £ and |'P~ 1 ({’P(u)})| > 1. The set of unobservable events is denoted £„. 

Let cr e £* be a finite word; its length is denoted |cr|. The mapping V is extended to finite 
words inductively: V{e) = e and V(aa) = V{a)V{a). We say that V(a) is the mask of cr. 
Write |cr| 0 for \P(cr)\. When cr is an infinite word, its mask is the limit of the masks of its 
finite prefixes. This mask function is applicable to runs via their associated sequence; it can 
be either finite or infinite. As usual the mask function is extended to languages. With respect 
to V, a POpLTS M is convergent if there is no infinite sequence of unobservable events 
from any reachable state: L“(Af) n £*£“ = 0. When J\f is convergent, for every cr e L w (Af), 
V(tj) e ££. In the rest of the paper we assume that POpLTS are convergent. V can also be 
be viewed as a mapping from runs to £“ by defining V{qoaoq\a\...) = V(aoai ...). Remark 
that this mapping is continuous. We will refer to a sequence for a finite or infinite word over 
£, and an observed sequence for a finite or infinite sequence over £„. Clearly, the application 
of the mask function onto £„ of a sequence yields an observed sequence. 

The observable length of a run p denoted \p\ a e N u {oo}, is the number of observable 
events that occur in it: \p\ 0 = |cr p | 0 . A signalling run is a finite run whose last event is 
observable. Signalling runs are precisely the relevant runs w.r.t. partial observation issues 
since each observable event provides an additional information about the execution to an 
external observer. Given states q,q' and an observed sequence cr e ££, we write q => q' if 
there is a signalling run from q to q' with observed sequence cr. 

In the sequel starting from the initial state qo, SR denotes the set of signalling runs, and 
SR„ the set of signalling runs of observable length n. Since we assume that the POpLTS are 
convergent, for all n > 0, SR„ is equipped with a probability distribution defined by assigning 
measure P(p) to each p e SR n . Given p a finite or infinite run, and n < \p\ Q , Pin denotes the 
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signalling subrun of p of observable length n. For convenience, we consider the empty run go 
to be the single signalling run, of null length. 

2.3 Fault diagnosis for POpLTS 

To model the problem of fault diagnosis in POpLTS, we assume the event alphabet E contains 
a special event f e E called the fault. A run p is then said to be faulty if its associated 
sequence of events contains a fault, i.e. a p e E*fE w ; otherwise it is correct. The set of faulty 
(resp. correct) runs is denoted F (resp. C). For n 6 N, we write F.„ for the set of runs p such 
that pi n is faulty and C„ for the set of runs p such that p\ n is correct. By definition, for all 
77., — F n l±J C„, F — UneN F n and C — fjneN C„- 

In order to reason about faults we partition sequences of observations into three subsets: 
an observed sequence a e E“ is surely correct if V~ 1 {a) n L U {M) £ (E \ f) 1 ^; it is surely 
faulty if V~ 1 {a) n L w (Ad) £ E*fE“; otherwise, it is ambiguous. For finite sequences, we need 
to rely on signalling runs: a finite observed sequence a e E* is surely faulty (resp. surely 
correct) if for every signalling run p with V{a p ) = er, p is faulty (resp. correct); otherwise 
it is ambiguous. A (finite signalling or infinite) run p is surely faulty (resp. surely correct , 
ambiguous ) if V(p) is surely faulty (resp. surely correct, ambiguous). 

In order to specify various requirements for diagnosability we need to refine the notion of 
ambiguity. Let Af be a POpLTS and n € N with n > 1. Then: 

h FAmboo (resp. CAmbt*,) is the set of infinite faulty (resp. correct) ambiguous runs of A f\ 
h FArnb,, (resp. CArnb,,) is the set of infinite runs of A f whose signalling subrun of observable 
length 77 is faulty (resp. correct) and ambiguous; 

At this point it is interesting to look at the status of the different subsets of runs we have 
introduced with respect to the Borel hierarchy. The complementary sets F„ and C„ are 
unions of cylinders; so they are open (and by complementation) closed sets. The set of faulty 
(resp. correct) runs F (resp. C) is an open (resp. closed) set as a union (resp. intersection) 
of open (resp. closed) sets. The sets FArnb,, and CAmb„ are unions of cylinders; so they are 
open. The sets FAmboo and CAmb^ may be defined as follows. Consider (Eq)“ and f l 2 both 
equipped with the product topology. SameObs = {(p, p') \ V{p) = V{p')} is the inverse image 
by a continuous mapping of the closed set {(er, a) \ a € E£}. Therefore SameObs is closed. 
Thus Cx Fn SameObs is a Borel set. The first and second projections are exactly CAmboo 
and FAmboo which establishes that these sets are analytic sets {i.e. continuous images of 
Borel sets). The set of analytic sets is a strict superset of Borel sets but every analytic set is 
still measurable w.r.t. the complete measure [12, 2H8 p.83]. 

In the context of finite POpLTS, we introduced four possible specifications of diagnosab¬ 
ility [3]. There are two discriminating criteria: whether the non ambiguity requirement holds 
for faulty runs only or for all runs, and whether ambiguity is defined at the infinite run level 
or for longer and longer finite signalling subruns. Let Af be a POpLTS. Then: 
h Af is IF -diagnosable if P(FAmboo) = 0. 
h Af is I A- diagnosable if P(FAmboo t±i CAmb.*,) = 0. 

_ Af is FF -diagnosable if limsup n ^ oc P(FArnb,,) = 0. 
b Af is FA-diagnosable if limsup„^ 00 P( FArnb,, is CAmb„) = 0. 

We recall in the next theorem all the implications that hold between these definitions. Missing 
implications do not hold, already for finite-state POpLTS. 

► Theorem 4 ([3]). Let Af be a POpLTS. Then 
h Af FA-diagnosable => Af I A- diagnosable and FF-diagnosable; 
h Af \A-diagnosable or FF -diagnosable => Af IF -diagnosable; 
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h If Af is finitely branching, then Af is IF -diagnosable iff Af is FF -diagnosable. 

In order to illustrate the different kinds of diagnosability, we describe below some 
discriminating examples. 



Figure 2 Left: a POpLTS that is IF-diagnosable but not lA-diagnosable. Right: a POpLTS that 
is lA-diagnosable but not FA-diagnosable. 


Consider the POpLTS Af on the left of Figure 2 where {n, f) is the set of unobservable 
events (represented by dashed arrows) and V is the identity over the other events. A faulty 
run will almost surely produce a 6-event that cannot be mimicked by the single correct 
run. Thus this POpLTS is I F-diagnosable. The unique correct run p = qouqiaqi... has 
probability ^ and its corresponding observed sequence a u is ambiguous. Thus the POpLTS 
is not lA-diagnosable. This simple example shows that, already for finite-state POpLTS, 
I F-diagnosability does not imply I A-diagnosability. 

Similarly, let us look at the POpLTS on the right of Figure 2 where {u, f) is the set of 
unobservable events and V is the identity over the other events. Any infinite faulty run will 
contain a 6-event, and cannot be mimicked by a correct run, therefore FAmb,*, = 0. The 
two infinite correct runs have a u as observed sequence, and cannot be mimicked by a faulty 
run, thus CAmb^ = 0. As a consequence, this POpLTS is lA-diagnosable. Consider now 
the infinite correct run p = qouqiaqi .... It has probability |, and all its finite signalling 
subruns are ambiguous since their observed sequence is a", for some neN. Thus for all 
n> 1, P(CAmb„) > |, so that this POpLTS is not FA-diagnosable. 

3 Characterisation of diagnosability 

The aim of this section is to establish “simple” characterisations of the diagnosability notions 
for a POpLTS Af = ((£, P), £ 0 , V) and more precisely to study whether one can express it 
as a Borel set B e B only depending on the underlying LTS C and the mask function V, such 
that almost surely a random run belongs to B if and only if Af is diagnosable. Furthermore 
if possible, one looks for a set B belonging to a low level of the Borel hierarchy. Observe 
that for all notions, this requires some machinery since the finite runs-based notions FF and 
FA are expressed by a family of Borel sets and the infinite runs-based notions IF and IA are 
expressed by a set which is not a priori a Borel set. 

Pursuing this goal, we introduce a language pathL for specifying Borel sets of runs. It is 
based on path formulae. A path formula a is a predicate over finite prefixes of runs. The 
(pseudo-)syntax of a formula of pathL is: 

<t> ::= a | -.</) | (f>i A (j) 2 | 

where a is a path formula. In the sequel we use the standard shortcut □</> = -i O 

A formula is evaluated at some position k of a run p = q^a^qi .... The prefix p[ 0, k ] of p 
is defined by p[ 0, k] = q^a^qi.. .qk- The semantics of pathL is inductively defined by: 
h /?, k t= a if and only if a(p[ 0, fc]); 
h /?, k 1= ->(j) if and only if p, k f <p; 
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h p, k 1 = <f>i a (j>2 if and only if p, k t= <fi and p, k\= <j) 2; 
h p, k 1= 0</> if and only if there exists k! > fc such that p, fc' 1= qb. 

Finally p 1= if and only if p, 0 1= cf. Due to the presence of path formulae (with no restriction) 
this language subsumes LTL and more generally any w-regular specification language. In 
order to reason about the probabilistic behaviour of a POpLTS, we introduce qualitative 
probabilistic formulae P ™ p ((f>) with 1 * 6 {<,>,=}, p e {0,1} and 4> 6 pathL. The semantics 
is obvious: M 1= P if and only ifP^({pe 0 | pt= (/)}) up. Since pathL is closed by 
complementation the probabilistic formulae can be restricted to P =0 (<)>) and P >0 (^). 

Let us give some examples of path formulae. Given a finite run p = q^a^qi.. .qk, let f 
be defined by f(p) = true if = f for some index i. This path formula characterises the 
faulty finite runs. Let if be defined by il(p) = true if there exists a correct signalling run p' 
with V{p) - V(p'). Using the path formulae f and if, we exhibit a formula of pathL that 
characterises FF-diagnosability. 

► Proposition 5. Let J\f be a POpLTS. Then J\f is FF-diagnosable iff J\f t= P 0 (O □ (f a 11)). 

Due to Theorem 4, in finitely-branching POpLTS the above characterisation also holds 
for IF-diagnosability. We also need the finitely-branching assumption in order to characterise 
lA-diagnosability. To this goal, let us introduce a more intricate path formula. For a e E*, 
we define firstf (a) by firstf (a) = min{fc | 3p signalling run V{p) = er a p^k is faulty} with the 
convention that min(0) = 00 . Then the path formula 2U is defined by: 211(e) = false and 
2 U(< 7 oao . ..q n + 1 ) = true if firstf(U(g 0 ao ■ ■■Qn+ 1 )) = firstf (V(q 0 a 0 . ..?„)) < 00 . 

► Proposition 6. Let J\f be a finitely branching POpLTS. Then M is \A-diagnosable iff 
M 1 = P =0 (O □ (it a 22J)). 



Figure 3 An infinitely-branching lA-diagnosable POpLTS. 


The POpLTS of Figure 3 illustrates the necessity of the finitely-branching requirement in 
Proposition 6. {w,f} is the set of unobservable events and V is the identity over the other 
events. Observation b occurs in every infinite correct run, while the observed sequence of the 
single infinite faulty run is a“. This POpLTS is thus lA-diagnosable. However, it does not 
satisfy P =0 (O □ (if a 2U)) since the unique infinite faulty run has probability } and satisfies 
□if. Indeed for every n € N, there is a correct signalling run with observed sequence a n . 

Observe that the sets of runs specified by the characterisations of FF-diagnosability 
(On (f Ail)) and lA-diagnosability (On (11 a2U)) are F a sets, i.e. countable unions of closed 
sets. Surprisingly, we show that such a characterisation is impossible for FA-diagnosability. 

► Proposition 7. There exists a finitely-branching LTS C and a mask function V such that 
for every F a set E of runs, there exists a POpLTS N = ((£, P), E 0 , V) such that: 
h either J\f is FA-diagnosable and P jy(E) > 0; 
h or Af is not FA -diagnosable and P jg(E) = 0. 
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We conjecture that the previous impossibility result also holds for all Borel sets. The 
next proposition shows that a positive probability condition (instead of a null condition) 
may not exist whatever the Borel set. 

► Proposition 8. There exists a finitely-branching LTS C and a mask function V such that 
for every Borel set E of runs, there exists a POpLTS J\T = ((£,P ),E 0 ,'P) such that: 

h either AT is FA -diagnosable and Pjy(E) = 0; 
h or M is not FA-diagnosable and Pjy(E') > 0. 

4 Diagnosis for probabilistic pushdown automata 

We now turn to a concrete model for infinite-state POpLTS, namely the ones generated by 
probabilistic pushdown automata, and more specifically by probabilistic visibly pushdown 
automata. Our goal is to use the characterisations from the previous section to decide the 
diagnosability of POpLTS generated by partially observable probabilistic visibly pushdown 
automata (POpVPA). To do so, we face the difficulty that the Borel sets that characterise 
IF-, IA- and IF-diagnosability are not a priori regular, even in the finite branching case. 
Yet, for POpVPA, we circumvent this problem, and manage to specify these sets by pLTL 
formula on a determinisation of the model, tagged with the needed atomic propositions. The 
decidability of the qualitative model checking for recursive probabilistic systems [7] then 
yields the decidability of the above three diagnosability notions for POpVPA. 

4.1 Probabilistic visibly pushdown automata 

Among probabilistic infinite-state systems the ones generated by probabilistic pushdown 
automata [10, 7] support relevant decision procedures. Already in the non-probabilistic case, 
the subclass of visibly pushdown automata (VPA) [1] is more tractable than the general 
model. In VPA, the type of events determines whether the operation on the stack is a push, 
a pop, or possibly changes the top stack symbol, so that the languages defined by VPA enjoy 
most of the desirable properties regular languages have. 

► Definition 9. A probabilistic visibly pushdown automaton (pVPA) is a tuple A = ( Q , £, T, 5, P) 
where: 

h Q is a finite set of control states with qo the initial state; 

b £ is a finite alphabet of events, partitionned into local, push and pop events £ = £|,tt)£||tu£|,. 
h T is a finite alphabet of stack symbols including a set of bottom stack symbols T ± with 
initial symbol lo e T ± ; 

ijcQxTxSxQxP* is the set of transitions such that for every (q , 7 , a, q',w) e <5, |u>| < 2 , 
7 6 T ± implies w € T ± (T \ T ± )* and 7 i T x implies w e (T \ T ± )*; 
h P is the transition probability function fulfilling for every q € Q and 7 e T: 

^f{q,^,a,q',w)^8 ^ [(?, Q 5 ^ 0 ] — 

A transition t = (q,"/,a,q',w) e 6 is said to be a local (resp. push , pop ) transition if |w| = 1 
(resp. |w| = 2, |ui| = 0). We require that for every transition t = (q,^,a,q',w) eS, t is a local 
(resp. push, pop) transition iff a is a local (resp. push, pop) event. 

The semantics of a pVPA is an infinite-state pLTS whose states are pairs (q, z ) consisting 
of a control state and a stack contents. 

► Definition 10. A pVPA V = (Q,£,T, S, P) defines a pLTS Mv = ( Qv, (qo, lo), £,7v, Py) 
where: 

- Qv = {(q,z) \ q e Q A z €T L (T \ 
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- T v = {{{q,z'y),a, (q',zw)) | ^ 7 er ± (r nT ± )* a (g, 7 ,a,g',w) € 5}] 

- For every ((g, zj ), a, ( q',zw ) ) e T v , Py [((<?, *i) , a, (<?', z«0)] = P[(g, 7 , a, g', w)]. 

► Example 11. Figure 4 gives an example of a pVPA. The event alphabet is composed 
of local events {serve, empty, reset}, a push event in and pop events {out, f, abort}. A 
transition t = (q,j,a,q r ,w) is represented by an edge from state q to state q' and labelled by 
P[f] -7 ,a,w. The semantics of this pVPA is precisely the pLTS from Figure 1. Indeed, the 
stack alphabet consists of two letters T = { 7 , lo} where the set of bottom stack symboll is 
Pi = {± 0 } • Thus one can encode the stack using a counter that gives the number of 7 in the 
stack. For instance, in the pLTS from Figure 1 the configuration (gi,lo 7 n ) of the pVPA 
corresponds to the state q\ n . 



Figure 4 A pVPA generating the pLTS from Figure 1 with two finite runs. 


To define partially observable pVPA, we equip a pVPA with a mask function and 
require that only local events may be unobservable, and that pushes and pops can still be 
distinguished. Thus, the observed sequence of a signalling run of a POpVPA still provides 
the information about the height of the stack since it is equal to the difference of pushes and 
pops, plus one. 

► Definition 12. A partially observable pVPA (POpVPA) is a tuple (V,T, 0 ,V) consisting of 
a pVPA V equipped with a mapping V : E -» E 0 u {e} such that: 
b E„ = S 0i |, is S 0! j is E 0il) is the set of observations; 

™ ’P(S^) £ E 0) |, u {s}, 'P(Ej) £ E 0j || and P(Ei,) £ E 0j ^. 

In the sequel, we may identify a POpVPA with the POpLTS it generates. In particular, 
the various concepts of diagnosability are lifted from POpLTS to POpVPA. 

4.2 Complexity of diagnosability for POpVPA 

To obtain an algorithm for the diagnosability of POpVPA, we follow the finite-state case 
approach [3]. First, we determinise POpVPA V into A(V), with the diagnosis objective in 
mind, building on the deterministic automaton recognising unambiguous sequences from [8]. 
We therefore introduce tags that reflect the category of runs (faulty or correct) given an 
observed sequence with a distinction between “old” and “young” faulty runs. It then suffices 
to check whether the characterisations hold on the synchronised product V xd(V) where V 
enlarges V by keeping track of a fault occurrence. To reduce to a decidable model checking 
question, we specify the Borel sets from Section 3 by LTL formulae. 
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Diagnosis-oriented determinisation. The determinisation of V (where probabilities are 
irrelevant for this transformation) into A(V) exploits some ideas of the original determinisation 
by Alur and Madhusudan [1], yet, it is customised to diagnosis. In particular, it uses tags that 
were first defined to construct a deterministic Biiclri automaton recognising the unambiguous 
sequences of a finite LTS [ 8 ]. The complete definition of -4(V) is postponed to Appendix B.l. 
We emphasise here some aspects of the construction and illustrate them on an example. 


XjfAso} ^{^90} : 

U 1 ±,X,g 0 J ’ 1 L ±,X,g 0 > ’ 
r X - | -l,X,9i l,X,/i ^ _ / 7.X,91 


±,U,9o ’ l,U,9o J 


,cf = { 


_ / 7.X,go \ i X _ / 7.X,qi 1 tX 
A,X,g 0 I’ 1 t J.,X,g 0 J ’ U °° 
7.X, fi -j ^X _ r 7.X,9i 7,X,/i 1 


±,X,g 0 ’ l,X,g 0 > ’ 


- 7,U,go ’ 7,U,9o s ’ 


r 7.X,9i -1 
f 7.X,go 


X e {U, W} 



( run I / lo.u.gl io. 
v |l± 0 ,U.9o ’ lo, 





reset 




Figure 5 The VPA A(V) associated with the POpVPA V of Figure 4 with two runs. 


States and stack symbols. The VPA A{V) tracks all runs with same observation in 
parallel memorising their status w.r.t. faults. More precisely to the current set of runs 
corresponds the symbol on the top of the stack which is a set of tuples where each tuple is 
written as a fraction 7 -’ x - q q - ■ Let us describe the meaning of this tuple: 
h q is the current state of the run and 7 is the symbol on the top of its stack; 
h X e Tg = {U, V, W} is the status of the run: U for a correct run, V for a young faulty run 
and W for an old faulty run; 

h The denominator (yVXAlT), is related to the configuration just after the last push event 
of the run: 7 “ is the stack symbol under the top symbol, while X~ is the status of the 
run reaching this configuration and q~ the state of this configuration. 

A priori, a single state run would be enough. However the simulation of a pop event in the 
original VPA is performed in two steps requiring some additional states that we explain later. 
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Illustration. The initial configuration of the VPA A(V) of Figure 5 (run, |{ }[) cor¬ 

responds to the empty run represented by a singleton. The denominator of bottom stack 
symbols is by convention (l 0 , U ,q 0 ) and is irrelevant for specifying the transitions of A(V). 
Tag updates. Let us explain how the tag X of an item A’^A 1 _ of the current stack symbol 
is determined. If this item corresponds to a correct run then X = U. When, in a current state, 
after a transition of A(V) a (tracked) correct run becomes faulty in the next state, there are 
two cases. Either there was no tag W in (the numerators of items of) the top stack symbol 
of the current state then the run is tagged by W. Otherwise it is tagged by V meaning that 
it is a young faulty run. The tag V (young) becomes W (old) when, in the previous state, 
there was no tag W in the top stack symbol. A tag W is unchanged along the run. 

Push transitions. Given an observed push event o e £ 0 ,k, from the control state run with 
top stack symbol bel, there is a looping push transition (run, bel, o, run, bel'bel") in A(V) 
that encodes the possible signalling runs with observation o in V. More precisely for every 
transition sequence (q,a) =>• (r,/3~{3) in V (i.e. a sequence of unobservable local events 
ending by an event e with V(e) = o ) and n -’^ q n - e bel one inserts hr bel' and Jr-yq 


Q~ ,Y ,r 


ot~ ,X - ,q~ 

in bel”. The value of Y follows the rules of tag updates. 

Illustration. In Figure 5 several transitions correspond to the transition (qo, ±o, in, qo, lod) 
of V, including (run, }, in, run , { }{ and several transitions correspond 

to the transition (q 0 ,7 ,m,g 0 ,7Y) of V, including (run, in, run, { })■ 

Here, the specification of the tag updates is straightforward since it does not involve faulty 
runs. The runs represented in Figure 5 use these two transitions from the initial state. 


Local transitions. Given an observed local event o e from the control state run 
with top stack symbol bel, there is a looping local transitions (run, bel, o, run, bel 1 ) in A(V) 
that encodes the possible signalling runs with observation o in V. More precisely for every 
transition sequence (q, a) => (r, f3) in V (i.e. a sequence of unobservable local events ended 
by an event e with V(e) = o) and A’^A 1 - 6 bel one inserts 4j _ in bel'. The value of Y 
follows the rules of tag updates. 

Illustration. In the VPA A(V) of Figure 5 there are several transitions corresponding to 
transition (qo,^, serve, qi,"f) of V including (run, { }> serve, run, { ^ })■ The runs 

represented in Figure 5 use this transition. 

Pop transitions. Given an observed local event o € E 0ib , from the control state run with 
top stack symbol bel, the “pop operation” is performed by a sequence of two transitions: a 
pop transition labelled by o that keeps in the next state all the information needed by the 
next (local) transition labelled by e to move back to state run with a consistent stack symbol. 
Given an intermediate stack symbol, there is exactly one possible such transition. Thus 
despite these transitions, A(V) is still deterministic. The first transition (run,bel,o,l,e) 
in A(V) is specified as follows. The next state I is a set of items of the following shape 
a _ q _ . More precisely for every transition sequence (q,a) =>• (r, e) in V (i.e. a sequence of 
unobservable local events ended by an event e with V(e) = o) and a A’^A e bel one inserts 
a _ x- _ in I. The value of Y follows the rules of tag updates. A transition (I, bel, e, run, bel') 
is specified as follows. For every *^q ^ an< ^ 7 -x- g q- ^ the denominator of the 

first fraction and the numerator of the second fraction match), one inserts i n bel'. 

Illustration. Let us describe how the pop event is performed by two transitions in the runs of 
the VPA of Figure 5 from the state reached after event serve. From q\ with 7 as top of the 
stack there are two transitions whose observation is pop: (qi,^,out,qi,e) and (q±, 7 , f, / 1 , e). 
Thus starting from run with top stack symbol }, one reaches state I = { 7 U [/q 0 > ^u^q 0 }■ 

The faulty run is tagged with W as there was no tag W in the former top stack symbol. In 
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the next configuration, the top stack symbol is So the transition labelled by e 

moves back to state run with updated top stack symbol { 7 0 ’u'go ’ lo^u’go )• 

Product VPA. We first define V whose set of states Q is a duplication of Q in correct 
states Q c and faulty states Qf. Given a transition of V starting from q leading to q there 
is in V a transition starting from qf leading to q'f and a transition starting from q c leading 
either to q' c if the event is not f or to q ^ otherwise. We then construct Va(v) = V x A(V) 
the product automaton of V and A(V) synchronised on the alphabet of observed events T, a . 
The transitions of V labelled by unobservable events do not change the second component of 
the state and the transitions of A{V) labelled by e do not change the first component of the 
state. Due to the determinism of M(V), Va(v) has the same probabilistic behaviour as the 
one of V except that it memorises additional information along the run. More precisely, let p 
be a run of V, then p , a run of V/i(y), is obtained from p by following the same transitions 
and adding the single © transition firable after any pop transition. One immediately gets 
P Va ( v)(p) = p v(p)- 

Let us explain how to transform the paths formulae f, it and 2U into atomic propositions 
on the pairs ((q,run){ r ) 1 bel)) consisting of a control state of V^(y) together with a top 
stack contents. For path formula f, we define the corresponding atomic proposition Vf by 
nf((q,run)(^f, bel)) = true if and only if q e Qf. Let bel £ (F x Tg x Q) 2 , we say that X 
occurs in bel if there exists e bel. We define atomic propositions v u and v w by: 

i / u((q,run)( 7 , bel)) = true if and only if U occurs in bel ; and v w ((q,run)( 7 , bel)) = true if 
and only if W occurs in bel. 

Given a run p of Va(v), we write last(p) for the pair formed of the control state and top 
stack symbol in Va(v) after p. The atomic propositions Uf and v u perfectly reflect the paths 
formula f and if, and v w is eventually forever true if and only if 2 U is. 

► Proposition 13. Let p be an infinite run ofV. Then: 

— For all k e N, f(pik) <=> ^/(last(p ifc )) and il (p lk ) <=> v u (\ast(p lk )); 

b p t= O □ 2U <=>■ 3K\/k > K. j/ UJ (last(p|fc)) = true. 

Thanks to the relationships between the paths formulae, and the atomic propositions, and 
using the characterisations from Section 3, we manage to reduce the FF-, IF- and lA-diagnosis 
to the model checking of a pLTL formula on the product VPA V^y). Model checking 
qualitative pLTL for probabilistic pushdown automata is doable in polynomial space in the 

size of the model [7]. In our case, V_ 4 (y) is exponential in the size of V. We thus obtain the 

decidability and a complexity upper-bound for the diagnosability problems for POpVPA. 

► Theorem 14. FF -diagnosability, IF -diagnosability and \A-diagnosability are decidable in 

EXPSPACE for POpVPA. 

Reducing the universality problem for VPA, which is known to be EXPTIME-complete [1], 
we obtain the EXPTIM E-hardness of all diagnosability variants for POpVPA. 

► Theorem 15. Diagnosability is EXPTIME -hard for POpVPA. 

The restriction to visibly pushdown automata is motivated by the unfeasibility of diagnosis 
for general probabilistic pushdown automata. The undecidability can be obtained by adapting 
the proof for diagnosis of non-probabilistic pushdown automata [11]. However, in order to 
show how robust the result is, we rather reduce from the Post Correspondence Problem 
and prove the undecidability of diagnosability for restricted classes of partially observable 
probabilistic pushdown automata, see Theorems 23 and 24 in Appendix B.4. 
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5 Conclusion 

We studied the diagnosability problem for infinite-state probabilistic systems, both from a 
semantical perspective, and from an algorithmic one when considering probabilistic visibly 
pushdown automata. A natural research aim is to reduce the complexity gap for the 
diagnosability of POpVPA (currently EXPTIME-hard and in EXPSPACE). We could also 
investigate the diagnosability problem for other probabilistic extensions infinite state systems, 
such as lossy channel systems or VASS. Another research direction would be to consider the 
fault diagnosis problem for continuous-time probabilistic models, starting with CTMC. 
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A Proofs for Section 3 

► Proposition 5. Let J\f be a POpLTS. Then J\f is FF -diagnosable iff N 0 (O □ (f a it)). 

Proof. Consider the set of fault-triggering runs: 


51= {p = qoaoqi ■ ■ -a k -iqk | afc-i = f a Vi < k- 1, o,tf) . 

Write E = {p e LI | O □ (f A il)} for the set of runs we are interested in. We further define, for 
every p e 91, E p = {p' e | p < p' f\p' t= ail} and for every n e N, E p = {p' e FI 1 p < p'Ap' t= □"!!} 
where p 1= n n <j> if for every k < n, p,k\= (f). Observe that E = U p6 ;r E p and that E p = 

Thus P (E) = £ pgSH P (E p ) and lim^^ P(£ p ) = P (E p ). 

• Assume first that P (E) > 0. Then, there exists p e 1R such that P (E p ) > 0. By definition, 
for every n > \p\ 0 P(FAmb„) > P(E p ). Thus, M is not FF-diagnosable. 

• Assume now that P (E) = 0. So, for every p € IR, P (E p ) = 0. Let us pick some e > 0. Since 

F = UneN F„, there exists no such that for every n > no, P(F \ F„) < |. Let = {p e \ 
\p\o < no). Pick a finite subset 1R" of IR' such that Z p6 sh'\ 9 %"P(p) ^ §■ Define I< = |£R"|. 
Let m be such that for every n > m and every p e JR", P (E p ) < Observe now that 
for every n > n 0 , FAmb„ £ (F \ F n ) u U p6 s«'xai" C{p) u \J p ^" E p- Thus, for every n > ni, 
P(FAmb„) <| + |+A'g|^=e. Since e is arbitrary, J\f is FF-diagnosable. « 

► Proposition 6. Let M be a finitely branching POpLTS. Then J\f is IA -diagnosable iff 
M i= P =0 (O □ (il a 2R)). 

Proof. It is enough to show that p e LI is ambiguous if and only if p t= O □ (11 a 2IJ). We focus 
below on correct runs; the case of faulty runs is similar and even simpler. 

• Let p e CAmboo. Since p is ambiguous, there exists a faulty run p' such that V(p') = P{p). 
Let k 0 be such that p'^ ko is faulty. Thus for all k > ho, firstf (V(pik)) < k 0 and in addition it is 
non decreasing. So there exists some k-\ > ko such that for all k > k\, firstf(7 :, (pj,fc)) is constant. 
We thus obtain p t= O □ 2U- Moreover, since p t= □ if, we conclude that p(= O □ (UaOR). 

• Let p be a correct run such that p 1= O □ (it a 2R). Thus there is a position ko such that for 

all k > ko, p,k\= 2U. In particular, by definition of 22J, for all k > ko, there is a finite signalling 
run p such that P(p'^) = V(pik) and p^ is faulty. Consider the tree of these runs p'^ 
by merging the common prefixes. This tree is finitely branching and infinite. By Konig’s 
lemma, it must admit an infinite branch, corresponding to a run p' with V(p') = V(p) and 
p' iko faulty. We deduce that p is ambiguous. « 

Let us recall some standard facts about Borel sets and measures. A set F is closed if and 
only if F = flneN O n where O n is a union of cylinders defined by O n = {C(p) | \p\ = n A Ip' e 
F,p< p'}. Thus an F a set F can be written as F = UmeN ClneN O m n where O m ^ n is a union 
of cylinders whose associated paths have length n. Without loss of generality, the sequence 
of closed sets may be chosen as a non decreasing sequence. The measures we have defined 
in the core of the paper are regular. In particular, for every measurable set E such that 
P (E) > 0, there exists a closed set F £ E such that P(F) > 0. 

► Proposition 7. There exists a finitely-branching LTS C and a mask function V such that 
for every F„ set E of runs, there exists a POpLTS N = ((£,P),£ 0 ,'P) such that: 

h either M is FA -diagnosable and P m{E) > 0; 
h or M is not FA-diagnosable and P j\[(E) = 0. 

Proof. Consider the LTS £ = (Q,qo,Tj,T) defined as follows and let the mask function be 
defined by: V(u) =V(i) = e and V is the identity over the other events. 


N. Bertrand and S. Haddad and E. Lefaucheux 


15 


- Q = u{<?i | i €N}; 

h E = {a, 6, c, u, f}; 

- T = {(go,w,9/),(go,w,9i),(Q , /,a,^/),(g , /,6,g/),(g/,f,/i),(/i,6,/i),(/i,c,/i)} 
u {(qi,a,q i+1 ),(qi,b,q i+1 )}i> 1 . 



Figure 6 A family of POpLTS whose underlying LTS has no appropriate characterisation of 
FA-diagnosability. 


We consider a family of POpLTS, represented in Figure 6, with underlying LTS C. For 
P = {Pn)n>i a sequence of probabilities, we define the POpLTS A f p = ((£, P p ), Eq,? 7 ) in 
which for every n > 1 the probability that b occurs from state q n is P p (q n , b , q n +i) = Pm and 
all other probabilities are independent of p: P p (qo,u,qf) = P p (qo,u,qi) = P p (fi,b, f±) = 
P p (/i,c,/i) = P p (qf,a,q f ) = P p (q f ,b,q f ) = P p (q/,f,/i) = |. 

Observe that lim^oo P(FAmb„) = 0 and P(CAmb„_i) - p n + Therefore, Af p is FA- 
diagnosable iff lim„— >00 j) n = 0. 

Let E be an arbitrary F a set. Pick some FA-diagnosable J\f p i.e. with lim„— >00 j) n = 0. If 
P p (-E) > 0 where P p is the probability measure of this POpLTS, we are done. Assume thus 
that P p (£’) = 0. In order to define a second POpLTS, via p', consider an infinite increasing 
sequence {rij}j <i and let for n £ {rij }j<i, p' n = p n and for n e {ri;}y>i, p' n -\- Due to the 
sub-sequence p' n = |, Af p > is not FA-diagnosable. The sequence {rij }j<i depends on P p and 
will be defined after some preliminary observations. 

Let F = {p | qouqi < p}. Denoting P p < the probability measure of the second POpLTS, 
observe that P P '{E \F) = P p (E \ F) = 0. Using the above discussion, the F a set E n F = 
UmeN flneN Om,n where for all m,n, Om,n is a disjoint union of cylinders C(p) with \p\ = n, 
Om : n +1 F Orn,n and Orn,n — Denote F m — Om : n For all to, lim^—^oo P p {Om,n ) — 

P p (EnF m ) < P p (E n F) = 0. 

• n i is chosen such that for all n > n\, p n < |. Observe now that for all rij , 

p' = - =- p n . and 1 - p' = - < 1 - Pn <-(1 - Pn ) 

n > 2 2 p nj Pn ’ Vn > 2 ^ 2 p n . K 

By definition of P p ', since O mjn is a disjoint union of cylinders C(p) with \p\ = n , applying 
inductively the previous inequalities, for all n such that < n< rik+i (denoting n 0 = 0): 


Pp'(Om,n) < 


Pp(Qm,n) 
Ul< 0< k Prij 


(1) 


• Assume that we have chosen ni,... ,rik ■ Since lim^oo P p (Ok, n ) = 0, there exists rik+i > rik 
such that P p (Ofe,n fc+1 ) < Y\\<j<kPnj- We choose such an index. 

Equation 1 now implies that for all m < k, P P '(O mjnfc+1 ) < Pp'(Ok, nk +i) < Thus for all 
to, Pp'(F’m) = lim fc _ 00 P p /(O mi „ l!+1 ) = 0. Since E n F = \J m rn F m, P p >{EnF) = 0 and so 
P P '(U) = 0. 
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► Proposition 8. There exists a finitely-branching LTS C and a mask function V such that 
for every Borel set E of runs, there exists a POpLTS J\T = ((£,P),£ 0 ,'P) such that: 
h either M is FA-diagnosable and ¥jy(E) = 0; 
h or Af is not FA-diagnosable and P jy(E) > 0. 

Proof. Consider the LTS C - (Q,qo,T,,T) defined as follows, and let the mask function be 
defined by: V(u) = V(i) = e and V is the identity over the other events. 

- 0 = {/i 1 9/,9o}u{g»|we(a + 6)*}; 

h £ = {a, b, c, u, f}; 

U { (Qw ? &•> qwa) i [quo i qwb') }u>e( a+b )*• 



Figure 7 Another family of POpLTS whose underlying LTS has no appropriate characterisation 
of FA-diagnosability. 


We consider a family of POpLTS, represented in Figure 7, with underlying LTS C , para- 
meterised by a mapping p : (a + b)* -»■ (0,1). Let Af p = ((£,P p ),£ 0 ,'P) be the POpLTS such 
that the probability that b occurs from state q w is P (q w , b, q w b ) = p(w), and all other probab¬ 
ilities are independent from p: P p (q 0 ,u,qf) = P p (q 0 ,u,qi) = P p (/i,6,/i) = P p (/i,c,/i) = \, 
P p (qj,a,qf) = P p (qj, b, qf) = P p (q/,f,/i) = In the sequel, for convenience, we also write 
p (w,b) for p(w), and define p(u>,a) = 1 - p(u>), so that P(q w ,a,q wa ) = p (w,a). 

Word w can be decomposed into letters w = m[l]... w\n\, and we give notations for factors: 
ui[l,fc] = u>[l]... icf/c] with the convention that u;[l,0] = e. Finally we define p p (w ) = 
rii<fe<n — l],w[A:]), as the probability to read w from q e . Since lim,^^ P(FAmb„) = 

0 and P(CAmb„_i) = T,\ w \=n-iP( w ^) + 2 3 „. , we deduce that J\f p is FA-diagnosable iff 
lim n —s-co Y,\ w \=n-\ P( w , b ) = 0- 

Let E be an arbitrary measurable set. Pick some POpLTS A f p which is FA-diagnosable, 
i.e. with lim„^oo E|u;|=n-i = 0- If P p (l£) = 0 where P p is the probability of this 

POpLTS, we are done. Assume therefore that P p (-E) > 0. Let F = {p \ qouq e E p} be the set 
of runs starting with a u-transition to q e . Denoting P p < the probability measure of any other 
POpLTS Af P ', observe that P p '(i? \ F) = P p (S \ F). So, if P p (i5 \ F) > 0, then by picking 
any non FA-diagnosable (£,P p '), we are done. So assume P p {E \ F) = 0 which implies 
P p (A n F) > 0. Using our recalls, there exists a closed set G £ E n F with P p (G) > 0. 

If G = F then P p <(G) = P p (G) = In this case, we can therefore conclude by picking any 
non FA-diagnosable POpLTS Af p >. 

Assuming G £ F, since G is closed, there is some cylinder C(p) with p = qouq e ...q w such 
that GnG(p) = 0. Then we define the POpLTS J\f p < as the POpLTS Af p except that for every 
w < w' and every x e {a, 6), pThus for every n > |u>|, T,\ W '\=n p'( w 'i b ) - Pp 2 ^ ■ 
So Af p > is not FA-diagnosable. On the other hand, P p '(A n F) > P p <(G) = P p (G) >0. •« 




N. Bertrand and S. Haddad and E. Lefaucheux 


17 


B Details and proofs for Section 4 


B.l Formal definitions 


Here we give formal definitions omitted in the core of the paper due to space constraints. 
More precisely given a POpVPA V, we define its estimate VPA A{V), its enlarged VPA V 
and their synchronised product. 

Let p e { g,c, /} we write {q, 7 ) ( q',w ) with o e £„ if when p = g (resp. c, /), there 

exists a general (resp. correct, faulty) run of transitions starting from ( 5 , 7 ) to ( q',w ) such 
that all transitions are unobservable except the last one labelled by e with V{e) = o. Let 
p be such a run then we also write ( 9 , 7 ) ( q',w) All transitions of such runs are local 

except the last one whose type depends on the type of o. 

► Definition 16. Given (V,V,T, 0 ) a POpVPA with V = {Q, £, T, S, P), its estimate VPA is 
the deterministic VPA A{V) = {Q e ,T, a ,T e ,S e ) defined by: 
b Q e = {run) tu (2 rx ( Tgx< 3) \ 0 ) is the set of states with initial state q$ = run ; 

_ T e = 2 ( rxTgx< 2 )~ \ 0 is the stack alphabet with set of bottom stack symbols T® = 2 /mt \ 0 
where Init = { I (A, q) 6 Tg x Q) and initial stack symbol 

h The transition relation S e is defined as follows. 


local transitions {run, bel,o, run, bel') e S e if: 

“ c^’u’q- € bel' iff there exists e bel and ( q,a ) => c (r, / 3). 

_ If W occurs in bel, P’^’ r e bel' iff there exists a gi' q e bel and (q, a) 

_ If W occurs in bel, € bel' iff 

7 ct~ ,X,q~ 

( 1 ) there exists e bel and {q,a) =>f ( r,{3 ) or 

(2) there exists q _ e bel and ( q,a ) => g (r,/3). 

_ If W does not occur in bel, e bel' iff 

( 1 ) there exists a ”’^_ e bel and ( q,a) =>f (r,/?) or 

(2) there exists e bel and ( q,a ) = > g (r,[3). 

push transitions {run, bel,o, run, bel'bel'') e 5 e if: 


e bel' and Mf- 6 

,U,r 


a ,U,y /3 

If W occurs in bel 


bel" iff there exists e bel and {q,a) 

ot .U.o v ^ 7 ' 




bel' and e 

P ,W,r 


,U,T 
&eZ" iff 


there exists ggg'g e bel and (q,o:) => s {r,/3 (3). 

_ If W occurs in bel, ^ g’ r € bel' and a’\', r e &eZ” iff 

(1) there exists € bel and (< 7 , a) {r,/3~/3) or 

( 2 ) there exists c g 'g q q - e bel and {q,a) => g {r,/3~/3). 

- If W does not occur in bel, e bel' and £3?.? e bel" iff 

7 a ,X,q (3 ,W,r 


( 1 ) there exists e bel and {q,a) =>f {r,/3 (3) or 

(2) there exists € bel and {q,a) => g {r,{3~f3). 

pop transitions {run, bel,o,£,e ) € S e with l € Q e \ {run) if: 


U ,r 


a~ ,\J,q~ 


S i iff € bel and {q, a) =^> c {r, e). 


■g ( r >/3)- 


c {r,/3 /3). 


_ If W occurs in bel, w Y r _ € £ iff there exists a j^' q e &el and (q, a) =>„ (r, e). 

7 a ,X,q a ,X,q v ^ 7 ' y v 7 / 

_ If W occurs in bel, —— € £ iff 

7 a~ ,X,q~ 

( 1 ) there exists s bel and {q,a) =>f {r,s) or 

( 2 ) there exists 6 bel and {q,a) => g (r,e). 
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■ If W does not occur in bel, _ € i iff 

( 1 ) there exists € bel and ( q,a ) ==>/ (r,£) or 

( 2 ) there exists e &eZ and (q,a) => g (r,/3“/3). 

e-transitions (I, bel,e, run, bel') e 5 e if: 

a,x _ s bel' iff there exists _ € bel and x J r € £ 

a. ,X ,q a ,X ,g ot,X,q 

While A(V) contains £-transitions it is deterministic: from any configuration, either a 
single e-transition is enabled or for all event o, there is at most one o-transition enabled. We 
say that a configuration is stable if its associated state is run. 

Illustration. Let us look at the run given in the example of Figure 5. It starts in the initial 
configuration (run, |{ |°’^° }|) which represents the empty run. 

From qo there exists only one path of observation in the POpVPA. As this path is correct, 

f 7,U,go i 

by reading in on the estimate VPA we reach (run, lnUnn 


J-o,U,9o 
f lO.U.gO 1 
*- lo,U,(/o ' 


). The new element of the stack 


I uh^qo ) s ig n ^ es that the real stack has head 7 and is in go after a correct run, moreover 
the run entered go when it pushed this 7 and it does not have a second non-terminal element 

f 7,U,<?o ~i 
'Y.U.fln J 

in our stack. Reading a second in is still doable by a single run, we reach (run, 


7,U,9o 
r 7.U.90 1 

I n . IJ .An J 


) 


• J-o,U,9o 
I lQ,U,gO \ 

I lo.U.ijo I 

which modifies one information compared to before: we know from the bottom part of the 
head stack that the stack has at least a second 7 . 

Reading a serve then is possible as there exists a correct signalling run from go to q± 
with only observable serve. The estimate VPA modifies the head stack so as to represent 
that the run we follow is now in gi but without modifying anything else. 

Reading a pop event raises a complication: from qi with head of stack 7 , reading a pop 
can be done by a correct run staying in qi or by a faulty run going in fi. To represent 
this and the popping of the stack, we go in two steps. In the first step, we go to the state 
{ , 7 W y^ o } which keeps the information of the two possibilities of current configuration 

and we pop the stack. In the second step, we deterministicaly read an e transition that 
transfer this information from the state to the stack. In order to transfer the information, 
the estimate VPA checks which of the current possible runs (represented by and 
corresponds to each of the new head of stack. This is done by comparing the bottom part of 
the run with the top part of the head of stack, here 7 , U,go in every cases. Reading a second 
pop realises a similar process reaching (run, |{ }|). An empty would lead to 

(run, |{ u go )|) as there is a correct run from gi to go labelled by empty but no run from 
fi with such label. Conversely a reset can not be read from gi but it can be read from / 1 , 
thus we reach (run, |{ 1 °^ 0 ° }|). 

The estimate VPA manages information in order to evaluate v u and v w . In order to 
evaluate Vf, the enlarged POpVPA keeps within its states the status (correct/faulty) of the 
run. 


► Definition 17. Let V = (Q,T,,T,S, P) be a pVPA. Then the pVPA V = (Q,E,P,<5,P) is 
defined by: 

™ Q = Qc®Qf where Q c = {q c \ q e Q} and Qf = {g/ ] g e Q} with initial state go jC ; 
h For all (q,"f,a,q' ,w) e S with at f and all g € {c, /}, (q g ,^,a,q' g ,w) e 5; 

■ For all (g, 7 , f, g', w) e S and all g € {c, /}, (q g ,"i,i,q' f ,w) e 5; 

- For all (g s , 7 , a, q' g ',w) e (5, P(g 9 , 7 , a, q' g ,, w) = P(g, 7 ,a,g',w). 
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We now define the product Va(v) between V and A(V) that keeps all the information we 
need along a run. 

► Definition 18. Given (V,V, £ 0 ) a POpVPA with V = (Q,£,r,<5, P) and A(V) = ( Q e , run, £ 0 ,r e ,<5 e ), 
their synchronised product is the pVPA V_ 4 (y) = (Q A , £ u {©}, T -4 , S A , P" 4 ) where: 
b Q a - Q x Q e is the set of control states with initial state q A = (qo,c, run)-, 
h T" 4 = P x P e is the stack alphabet with T ± x T® the set of bottom stack symbols and 
J-o 1 = (J-o, i^u^) the initial symbol; 
b The transition relation S A consists of: 
local transitions. 

• For all (g, 7 , a, q',Y) e 5 with a unobservable and bel e T e , 

((q, run), ( 7 , bel),a, (q', run), ( 7 ', bel)) € S A ; 

• For all ( 5 , 7 , a, q', 7 ') e S and (run, bel, o, run, bel') e 5 e with V(a) = o; 

((q, run), ( 7 , bel), a, (q', run), ( 7 ', bel'Y) e S A \ 

• For all (I, bel, e, run, bel 1 ) e 5 e , qeQ and 7 € T, 

((<?, t), ( 7 , bel),e, (q, run), ( 7 , bel')) e S A ; 

push transitions. 

• For all (q,'y,a,q , ,'y'"f") e S and ( run, bel, o, run, bel'bel") 6 S e with V(a) = o; 

(( Q , run), ( 7 , bel), a, (q’,run),(Y, bel')( 7 ", bel")) 6 S A ; 

pop transitions. 

• For all (q,"/,a,q',e) e S and ( run,bel,o,£,e) e S e with V(a) = o; 

((q, run), ( 7 , bel),a,(q r ,£),e) e S A ; 

b The transition probability function P A is defined by: 

- P A ((q, run), ( 7 , bel), a, (q', run), ( 7 ', bel')) = P (q, 7 , a, q', 7 '); 

- P A ((q,run), ( 7 , bel),a, (q 1 , run), ( 7 ', bel')( 7 ", bel")) = P(9,7,a,g',7'7"); 

- P A ((q,run),(-y, bel),a,(q',l),e) = P(q,j,a,q',e); 

- for £ e Q e \ {run},P A ((q,t), ( 7 , bel),Q, (q, run), ( 7 , bel')) = 1. 


Illustration. The product POpVPA contains the current run of the POpVPA, information 
on the correctness of the run and the information given by the estimate POpVPA. If we 
look at the faulty run given in the example of Figure 4, after reading in, we are in state 

( qo tC ,run) meaning our real state is qo, it was reached by a correct run and our estimate 

f 1 

In . U .On J 


VPA is in state run, the head of stack is ( 7 , 


), meaning our real head is 7 and the 


‘ lo.U.qo- 
f lo,U,qo 1 
tlo,U,qo ' 

rest is the head of the estimate VPA. If we follow the faulty run until after the first pop, we 
reach the state (fij, { 7 ^ 7 ^; }), we are thus in fi with a faulty run and the estimate 

VPA is in one of the temporary states. In order to leave this state, we read a © which leads 
to the state (fij,run). © is an event affecting only the part of the POpVPA corresponding 
to the estimate VPA, making it realises the £ transition. 

Given a finite run p of V, we inductively define the run p of V_ 4 (y) as follows. First 
(qo,±o) = (goSlo 1 ). Let p of length n > 1, a e E and q £ Q and 71....,77 e T such that 
p = p'a(q, 71 .. .7 h )- If a £ E b then p = p'a((qg, run), ( 71 , beh)... (- / h ,bel h )) where g = c iff 
p is correct and (run, bel\... belh) is the configuration reached by V(p) in A(V). If a e £|, 
then p= p'a((q g ,£), ( 7 i, 6 eZi) ... ( 7 h ,bel h )) Q ((q g ,run), (ji,beh )... ( 7 ^- 1 , 6 e 4 _i)( 7 / l , bel' h )) 
where g = c iff p is correct, (£,bel\.. .belh) is the configuration reached by V(p) in A(V) 
and (run, beli... belh-ibel’ h ) is the single next configuration reached by an e transition. As 
previously observed, P(p) = P(p). 
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B.2 Decidability of diagnosability for POpVPA 


In order to prove decidability of diagnosability for a POpVPA V, one wants to check whether 
the formulae characterising diagnosability hold on V. To do so, we transform the pathL 
formulae of Section 3 into pLTL properties that are checked on V^(v)- These pathL formulae 
use three paths formulae f, il and 2U. In the core of the paper, we explained how to define 
alternative pLTL formulae, relying on atomic propositions up, v u and u w that only depend 
on the current control state and top of stack symbol of V^(v)- Proposition 19 links runs of 
V and observed sequences of A(V) and Proposition 13 establishes the correctness of the As 
with respect to the paths formulae f, U and 2 U. 


► Proposition 19. Let a be an observed sequence of A(V) and p* be its corresponding finite 
run with successive stable configurations ( run,Wo) ■ ■ ■ (run,w n ). Let w n = bel\.. .belh and 
for i <n, bel O be the top stack symbol of Wi. Then: 


For all — 7h y Xh ’ 9fe — e belh , there exists a sequence ( 
7h-l.Xh-l.9h-l 11 


7i.Xj.9i 


Such that f° r al1 h 

7 i x i <3 i ^ an d a signalling run p of V such that V(p) = a that reaches configuration 

(qh, 71 • • • Jh)- In addition: 
h if X/j = U then p may be chosen correct; 
h if Xh + U then p may be chosen faulty; 

h if Xh = W then there exists 0 < k < n, such that p±k is faulty and W does not occur in 
6 eZ (fc_1) . 

• Conversely, let p be a signalling run of V such that V(p) = er reaching configuration 
(qh, 71 • • • 7 ft,). there exists a sequence ( — 1 )o<i<fe such that for alii, 1 € belt. 

In addition: 

h if p is correct then Xh = U; 
h if p is faulty then Xh + U ; 

h if there exists 0 < k < n, such that pik is faulty and W does not occur in bel^ k ~^ then 
X h = W. 


Proof. We prove it by induction on |cr|. The basis case is straightforward. For the inductive 
step, we only detail the most involved case: er[n] e T, 0 ^. For the properties related to tags, we 
only detail the ones related to W. Denote a' = cr[l]... a[n - 1] and w n -\ = bel[... bel' h bel' h+1 . 


• Let 


7h -X„ .q h 

lh-1 


6 belh■ By construction, there exists 7h+1 ,’ X y 1 ’? h+1 e bel' h+1 with 7^ = 7ft,, 


a signalling run (< 3 ^ + 1 , 7 ft+i) (dh,e) with proj(p") = a[n\, lh £ h ' qh , e bel' h where 

' h— 1’ h— l’^h—1 

( 7 ft-L’ X ft-L> 9 ft-i) = ( 7 ft-i,Xft_i, gft_i) and X h is obtained by updating X' h+1 w.r.t. bel' h+1 and 
p". In particular if Xh = W then 

(1) X' +1 = W, or 

(2) W does not occurs in bel' h+1 and (a) X' h+1 = V or (b) X ^ +1 = U and p" is faulty. 

By inductive hypothesis, there exists a sequence ( , ''3 ' q ‘, — )o <i<h such that for all i, 

' 7 £‘*' € bel'; and a signalling run p' of V such that V(p') = a' reaching configuration 

Wh+ li 7 i • • ■ 7ft+i)- Consider the signalling run p = p'p"; it reaches configuration (qhil'i ■ ■ ■ 7ft)- 
Since for all i < h, bel( = belt, the sequence ( / li £ i ' qi , — )o<i<ft and the run p are appropriate. 
The three additional properties follow from the rules of tag updates. 

In particular, if Xh = W, then 

o the assertion ( 1 ) holds and then the property comes from the inductive hypothesis, or 
o the assertion (2) holds which implies that W does not occur in bel' h+1 and p is faulty. 

• Let p be a signalling run of V such that V(p) = a which reaches configuration (qh,Ti •. - 7 ft)- 

Let us write p = p{ n -ip" with (<Zft + i, 7 ft + i) => ( qn ,£)■ By the inductive hypothesis, there 
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exists a sequence ( y — )o<i</i+i such that for all i , y li £ i,<li q . 1 e bel[ and for all i < h, 

7 [ - 7 i. By construction, , — g bel h for some X^. Since bel, = bel', for all i < h, we 

obtain the required sequence of items. 

The three additional properties follow from the rules of tag updates. In particular, assume 
there exists 0 < k < n, such that pik is faulty and W does not occur in bel k ~ l . 
o If pi n -i is correct then, as p is faulty, p" is faulty and W does not occur in bel * 1-1 = bel' h+1 . 
So by construction = W. 
o If pi n -1 is faulty then 

b either X ^ +1 = W and by construction X;, = W, 

— or X^ +1 = V. By induction hypothesis there does not exist 0 < k < n - 1, such that p^ is 
faulty and W does not occur in bel k ~ l . So W does not occur in bel n ~ 1 = bel' h+1 . Therefore 
X, = W. 


► Proposition 13. Let p be an infinite run ofV. Then: 

- For all k e N, f (p lk ) <=> i/f(\ast(p lk )) and il (p lk ) <=> r' u (last(p ifc )); 
h p (= O □ 2 U <=> IKMk > K. !/ UJ (last(/fo ; )) = true. 

Proof. First, remark that f and Vf obviously coincide: they both express that a fault 
occurred. 

To prove the second item, about il and v u , we use the link from between observed sequences 
and the tag U in V/qy)- Let a be an observed sequence triggered by a run of V. Then bel a is 
the top stack symbol of the stable configuration in .A(V) reached by the run accepting a (so 
ending by an e-transition if the last event is a pop event). Due to Proposition 19, U occurs 
in bel(j iff there is a correct signalling run of V with observed sequence a. According to the 
definition of v U: we thus deduce that for any finite signalling run p of V, r , u (last(p)) = true iff 
il (p) = true. 

We now establish the link between 2U and Vw- T° show the left-to-right implication, let 
p e 0 and K 0 6 N be such that p,K 0 t= (n2IJ. By definition of 22J, firstf (V(pik)) is constant 
and bounded by K 0 for k > K 0 . For all k e N, let belk be the top stack symbol reached in 
A(V) after reading the observed sequence V(pik)- If for all k > K 0 , W occurs in belk , then 
for all k > A' 0 , ^(last (pik)) = true. Otherwise there exists Ki > K 0 such that W does not 
occur in belx^- Let k > K x , as firstf (V(pik)) ^ A 0 , there exists a faulty run p’ of V_ 4 (y) such 
that V(p') = V(pin) and p\ K is faulty. W does not occur in belx 1 and p [ Kl+1 is faulty. Thus 
by Proposition 19, W occurs in belk■ Therefore for all n > v w (\ast(pi n )) = true. 

Let us show the right-to-left implication. Let p e Ft and K e N be such that for all k > K , 
i/ u ,(last( / 0 |fc)) = true. By definition of v w for all k > K , W occurs in belk (defined as above). Let 
k > K, by Proposition 19, there exists a run p’ of V_ 4 (y) such that V(p') = V{p\k) and there 
exists n< k such that p[ n is faulty and W does not occur in bel n -\. Thus n < K. Therefore 
for all k > K, firstf('P(/ 9 ;fc)) < K. Since beyond K firstf is bounded, it is non decreasing and 
then eventually constant. Let K' such that for all k > K firstf (V(pik)) = first^T^pjfc-i)). 
So p, K' (= d 2U and thus p t= O □ 2H. •* 

We extend Uf, v u and v w over configurations cf = ((q,£),w)) with £ t run by Vf(cf) = 
fox(c/) = v w (cf) = true. 

► Theorem 14. FF -diagnosability, IF - diagnosability and IA -diagnosability are decidable in 

EX PS PACE for POpVPA. 
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Proof. The above lemmas allows us to derive pLTL characterisations of diagnosability for 
POpVPA. Namely, for V a POpVPA, as V and Vyqy) have the same probabilistic behaviour, 
b V is FF-diagnosable iff Va{v) t= P =0 (O □ (uf A v u )); 

_ V is lA-diagnosable iff V/qy) t= P =0 (O □ (v u A v w )). 

Moreover, since the POpLTS generated by POpPDA are finitely-branching, IF-diagnosability 
coincides with FF-diagnosability [3] (See also 4). The two above qualitative pLTL formulae 
can be checked on general probabilistic pushdown automata (beyond visibly pushdown ones) 
thanks to [ 6 ]. More precisely, one can transform V_ 4 (y) into a recursive Markov chain (the 
transformation is linear) [7]. Then, the model checking of qualitative pLTL on recursive 
Markov chains is doable in PSPACE in the size of the Recursive Markov Chain and EXPTIME 
in the size of the formulae [ 6 ]. In our case, the product VPA V_ 4 (y) is exponential in the 
size of V and the size of the formulae is constant. This yields an EXPSPACE algorithm for 
checking diagnosability of POpVPA. ■* 

B.3 EXPTIME-hardness of the diagnosability for POpVPA 

We prove here Theorem 15, stating the EXPTIME-hardness of diagnosability for POpVPA. 
Let us restate it below more precisely. 

► Theorem 20. FF -diagnosability, FA- diagnosability and I A- diagnosability are EXPTIME-/iard 
for POpVPA. 

Proof. Let us start with FF-diagnosability. The proof is by reduction from the universality 
problem for VPA, which is known to be EXPTIM E-hard [1]. 

From a VPA V = (Q, £, P, S) and a subset of accepting control states Qf £ Q, we build a 
pVPA V' = (Q',£',r', V,P') as follows: 
h Q' = Q u {/ 0 , / t , q' Q: < 7 t } and q' 0 is the initial state; 

- E' = Ea {f,u,b,I]}; 

_ T' = T&{B} andr; =r i; 

h Writing c^, resp. and <5|, for the set of local resp. push and pop transitions of V, S' 
consists of the following transitions: 

local ^ u {(go, lo, u, lo, ?o)i (ffoi J-Oj fj J-o, /o), (/o)7i IliTi /i>) I 7 6 Tu {i 0 }} 
u {(<?,7,11,7,%) I 9 6 Q/i 7 € T u {J-o}} 
u {(/o,7.«j7./o) I a 6 5^,7 € {£,lo}} 

U {(db? -L 0 ? I], 4-0 5 do) ;(/b;-L 0 )l|;-L 0 > fo)}\ 
push u {(/o, 7 ,a, 7 R,/o) |aeS # , 7 €{R,i 0 }}; 

pop <5 b u {(f 0 ,B,a,e,f 0 ) \ a e EJ u b,e, / b )} u {(g b ,7, b,e, 5 b) I 7 e r ); 

P' is such that for every 7 € P, P , (/o ) 7 , 1 ]) 7 , /b) = and assigns arbitrary positive 
probabilities to the other transitions in S'. 

We further consider the POpVPA (V',T, 0 ,V) with E 0 = £u{i>,[]} and the masking function 
satisfies V(u) = ’P(f) = e and V(x) - x for any other event x e £'. This construction is 
illustrated in Figure 8 . The figure uses the following shortcuts: a\, e £ b , e E^, aj € Ej, 7 e T, 
7 ' e {B, 1 0 ) and z e T \ {l 0 }. 

The correct observed sequences in (V', E 0 , V) are either of the form w\ \\\> kl \\v 02 ■ ■ - \\ b fc " _1 \\ w n 
or of the form w\ \\\> kl \\w -2 ■ ■ - \\ w n -\ \\ \> m . In these decompositions, Wi, for i < n, is a sequence 
corresponding to a run of V starting in qo and ending in some accepting state qj e Qf, ki is 
the number of elements in the stack after reading w,; in V and also in V' (apart from the 
bottom stack symbol 1 q), w n is the sequence associated to a run of V starting in qo, and m 
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Figure 8 A POpVPA for the EXPTIME-hardness of FF-diagnosability. 


is at most the number of elements in the stack after reading w n -1 in V. Note that ki only 
depends on uq, and does not depend on the exact run over wt, since V is a VPA. 

Now, the faulty observed sequences in ( V', E 0 , V) are either of the form w\ tj b fcl \\ wi... § b fe " _1 \\ w n 
or of the form w\\\\> kl \\W 2 ■ ■ - \\ w B -i \\ b m - In these decompositions, Wi e E*, ki is the size of 
the stack in V' (apart from the bottom stack symbol ±o) after reading Wi and to is at most 
the number of elements in the stack of 1/ after reading w n -\. 

Let us show that V is not universal if and only if (V',T, 0 ,V) is FF-diagnosable. 

First assume that V is not universal. Then there exists a word w € E* such that no run of V 
reading w ends in an accepting state qp. However, the observed sequence of any faulty run 
almost-surely contains the factor \\w\\. Indeed, faulty runs almost surely visit infinitely often 
the configuration (/t, lo), and from there, the probability A to read \\ w \\ is positive. Let p be 
an infinite faulty run. Its observed sequence is of the form V(p) = w\ \\ b fcl \\ W 2 \\ b fca \\ W 3 ... 
with ki < |wj| for every i. If there exists i < n such that Wi - w then p is surely faulty, 
since it has no corresponding correct run. The latter statement can be refined. For n > |'tc|, 
if, for every i < n, |uq| < n and there exists i < n such that w,, = w then Pi 2 n 2 +n is surely 
faulty. Indeed, |u>i \\ b fci | < 2n + 1, w occurs at the latest for i = n, and once it occurs the 
prefix is surely faulty. Let us therefore consider faulty runs that do not satisfy this property. 
We let Avoid„ = {p e F | V(p) = uq t| b fcl \\ w 2 \\ b fca \\ w 3 ■■■ A (Vi <nWi+w\/H<n 1^1 > n)}. 
By construction, FAmb 2 n 2 +ra £ Avoid„. Moreover, using standard union-sum inequalities, 
P(Avoid„) < (1 - X) n + Tpi (recall that A is the probability to read {\ w \\ from (/ 0 , lo))- Thus 
limn^oo P(Avoid„) = 0 and hence lim^oo P(FAmb„) = 0 so that (V',T, 0 ,V) is FF-diagnosable. 
Assume now that V is universal. Let p be an infinite surely faulty run of (V',T, 0 l V). We 
write p' for the greatest ambiguous prefix of p and a € E 0 u {t|, b} such that p'a is again a 
prefix of p. Observe that a cannot be b since the number of b’s between two (j’s, whether on 
the left or right-hand-side of V', is entirely determined by the word of E* read before the 
first (j. For the same reason, if a = f], V(p') ends with a word of E* (i.e. the number of f]’s in 
V(p') is even). Let w be the greatest suffix of V(p') contained in E*. If a = \\, we deduce 
that there is no run starting in q 0 with observed sequence w and ending in an accepting state 
of V. Therefore, V is not universal. Similarly, if a e E 0 , then there is no run starting in q 0 
and with observed sequence wa. In that case also, V is not universal. We hence conclude 
that there is no infinite surely faulty run in (V , ,E 0 ,V). As the probability to generate faulty 
runs is positive, this implies that (V',T, 0 ,V) is not IF-diagnosable. Now, IF-diagnosability 
is equivalent to FF-diagnosability for finitely branching POpLTS (see Theorem 4), and so 
(V',E a ,V) is not FF-diagnosable. 

Let us now argue for the EXPTIME-hardness of FA-diagnosability and lA-diagnosability. 
From the VPA V = (Q,S,r,5) and pVPA V' = (Q', E', T', S') defined above, we construct a 
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pVPA V" = (Q",£",r",<f",P") such that 
h Q" - Q' u {q c } and q r 0 is the initial state; 

- £" = £ u {f,u, j), a}; 

_ T" = T; 

- 5 " = 6 ' u {(?,a,7,? c )|7€ru{i 0 },q6Qu {g c }}; 

_ P" assigns arbitrary positive probabilities to transitions in 5". 

We further consider the POpVPA (V",Y, 0 ,V) with £ 0 = £"\{f,u}, and the masking function 
satisfies 'P(f) = V(u) = e and V(x) = x for any other event x. The construction is illustrated 
in Figure 9, where we use the shortcuts: a^ e £ t , e aj e Ej, 7 6 P, 7 ' 6 { B , l 0 ) and 
z € r N {J-o}- 



Figure 9 A POpVPA for EXPTIM E-hardness of FA-diagnosability and lA-diagnosability. 


V" is a slight modification of V': from any state of V (accepting or not), reading the new 
letter a leads to the sink state q c . As a consequence, for any correct run of (V", £ 0 , V), there is 
a positive probability at each step to perform event a and become surely correct. This implies 
lim„_ > 00 P(CAmb rl ) r j S N = 0. Observe that the above proof for V' also applies to V": V is not 
universal if and only if (V",E 0 ,?) is FF-diagnosable. Now, since lim^oo P(CAmb n )„ 6 N = 0, 
FF-diagnosability, FA-diagnosability and lA-diagnosability coincide for (V",Y, 0 ,V). We 
conclude that V is not universal if and only if (V",E„,?) is diagnosable (for any notion of 
diagnosability). •« 

B.4 Undecidability of diagnosability for POpPDA 

As stated in the core of the paper, diagnosability is undecidable for partially observable 
probabilistic pushdown automata (POpPDA). Let us first give the definition of pPDA and 
POpPDA. Contrary to VPA, in PDA, the action does not determine the operation (push, 
pop, local) on the stack. 

► Definition 21. A probabilistic pushdown automaton (pPDA) is a tuple A= (Q, E, T, S, P) 
where: 

h Q is a finite set of control states with qo the initial state; 
h £ is a finite alphabet of events; 

h r is a finite alphabet of stack symbols including a set of bottom stack symbols r ± with 
initial symbol lo € r ± ; 

i5cQxrx£xQxr 4 is the set of transitions such that for every (g, 7 , a, q, w ) e S, |ui| < 2 , 
7 e T ± implies w e r ± (r \ r ± )* and 7 £ r ± implies w e (T \ r ± )*; 
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h P is the transition probability function fulfilling for every q e Q and 7 € T: 

Y P[(q,'Y,a,q',w)] = i- 

(q,j,a,q r ,w)e8 

► Definition 22. A partially observable pPDA (POpPDA) is a tuple (A,T, 0 ,V) consisting of 
a pPDA A equipped with a mapping V : E -*■ E 0 u {e} where E 0 is the set of observations. 

The undecidability of diagnosability for POpPDA can be derived from the undecidability 
of diagnosability for non-probabilistic PDA [11]. However, to show how robust the result 
is, we refine the statement into Theorems 23 and 24: undecidability already holds for two 
(incomparable) subclasses of POpPDA with restriction on what is observable and on the 
number of phases of any run. A phase is a portion of run in which the stack either never 
decreases or never increases. 

► Theorem 23. The diagnosability problems are undecidable for POpPDA even when (1) the 
top of the stack is not updated, (2) every event labelling a push transition is fully observable 
and corresponds to the pushed symbol, and (3) every run consists of at most two phases. 

Proof. The proof is by reduction from the Post correspondence problem (POP). An instance 
of POP is given by an integer n e N and two families of non-empty words {vi}i< n and {wi}i< n 
on the alphabet {a, 6}. The following question is undecidable: does there exist k > 0 and 
ii, ... ik e { 1 , • • ■ ,n} such that w il ... w ik = ... v ik l 

In this proof, we let ii (resp. mf) be the length of Vi (resp. Wi). Also, given a word w 
and k < |w] we use w[fc] to denote the k th -letter of w. 

From an instance (n,{vi}i< n ,{wi}i< n ) of PCP, we build a pPDA A = (Q,E,r,5, P) as 
follows: 

- Q = tadcfe./sjutf 11 < i<n,l < k<ti}u{fk 11 <i< n ,l < k< mj ; 

- E = {1,... ,n, tj,u,r,f,a,6); 

- r = {l,...,n,l 0 } with r ± = {± 0 }; 

h S consists of the following transitions: 

{(g 0 , -l-o, -LoZ,<7c) | 1 < x < n} 

u {(q c A,y,xy,q c ) \i<x,y<n} 

u {(Qi,z,Vi[k],z,q!f +1 ) | 1 <i<n,l<k<£i,ze {i 0 ,l,...,n}} 
u {(fi,z,Wi[k],z,f^ +1 ) \ l<i<n,l<k<mi,ze (l 0 ,1,... ,n}} 
u {(gf ,z,Vi[(.i],z,q s ) \ 1 < i < n,z e (i 0 ,1,... ,n}} 
u {if™* > z ,Wi[mi],z, f s ) | 1 <i<n,ze (i 0 ,l,... ,n}} 
u {( q s ,x,r,e,ql ) | 1 < x < n} 
u {( fs,x,r,e,fl) | 1 <x<n} 
u {(q c ,x,u,x,q s ),(q c ,x,f,x,f s ) \ 1 < x < n} 
u {(?s, lo, \\, J-o, g s ), (fs, lo, t], J-o, fs)}. 

_ P assigns arbitrary positive probabilities to transitions in (5: 

P('7,7,«,</,w) > 0 <=> (g, 7, a, g', w) e S and p [(<?, 7,«, </, ^)] = 1. 

We further consider the POpPDA (A, E 0 , V) with E 0 = E \ {r, u, f}, and the masking function 
satisfies V{u) = V(r) = V(f) = e and V(x) = x for any other event x. This POpPDA is 
represented in Figure 10. 

Let us prove that the instance of the PCP is positive if and only if the POpPDA is IF-, 
I A- and FA-diagnosable. 

Assume first that there exists a solution i\,.. .,ik to the PCP instance (n, {vi}i< n , {wi}i< n ). 
Consider in the POpPDA the faulty run: 

Pf = 9o(^gc)j<fef(/ s r(/f.u;i.[p])p< mi . )j< k (fs \\T , 
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Figure 10 A POpPDA for the proof of Theorem 23. 


and the correct run: 

Pc = 9o {ij<lc) 3 <ku{q s r(q p i .v i] [p])^. )j<k(q s \\Y ■ 

These two runs have the same observed sequence: V(pf) = V(p c ) = ii ■ . ■ikw\\ u with w = 
Wi 1 ... Wi k = Vi 1 ... Vi k . Therefore, pf is an infinite ambiguous faulty run. Given that 
P (pf) > 0, we deduce that the POpPDA (A,T, a ,V) is not IF-diagnosable. From Theorem 4, 
it is also neither lA-diagnosable nor FA-diagnosable. 

Conversely, assume that the PCP instance (n,{vi}i< n ,{wi}i< n ) has no solution. Independ¬ 
ently of that, observe that \\ almost surely occurs in an infinite run of the pPDA A. Thus, 
for any e > 0, there exists N 6 N such that the measure of signalling runs with observable 
length N that reach configurations ( q s , l 0 ) or (/ s , l 0 ) by an event \\ is at least 1 -e. Consider 
a correct run p c with observable length N , ending in (g s ,lo) and containing at least an 
occurrence of \\. Its observed sequence is of the form V(p c ) - i i ■ ■ ■ ikVi i ■ ■ ■ Vi k \\ m for some 
Due to the fact that (n,{vi}i< n ,{wi}i< n ) has no solution, no faulty run can 
have the same observed sequence. Therefore, p c is surely correct. Symmetrically, any faulty 
run ending in (/ s , ±o) after an occurrence of \\ is surely faulty. We thus conclude that, for any 
e > 0, there exists N e N such that P(FAmbjv ts CAmb^v) < e. As a consequence, the POpPDA 
(A,T, 0 ,V) is FA-diagnosable. By Theorem 4 it is also lA-diagnosable and IF-diagnosable. « 

A similar undecidability result holds for a classe of POpPDA in which pop events are 
fully observable, and the number of phases is constant: 

► Theorem 24. The diagnosability problems are undecidable for POpPDA even when (1) the 
top of the stack is not updated, (2) every event labelling a pop transition is fully observable 
and corresponds to the popped symbol, and (3) every run consists of at most two phases. 














N. Bertrand and S. Haddad and E. Lefaucheux 


27 


Proof. The proof follows the same line as the one for Theorem 23. 

From an instance (n,{vi}i< n ,{wi}i< n ) of PCP, let us define a pPDA A = (Q, £,P, S, P) 
where: 

- Q = {qo,q s ,fsAe,fe} u{qi 11 < i < n,l < k <■£*} u {fi | 1 < i < n, 1 < k < mj ; 

■ E = {l,...,n,t],u,c,f,a,6}; 

■ r = {1,... ,n, ±o} with r ± = {i 0 }; 

_ S consists of the following transitions: 

{(qoA,UA,qs),(qoA,fA,fs),(qeA,\\A,qe),(feAAA,fe)} 
u {(qi,z,Vi[k\,z,q^ +1 ) \ 1 < i < n, 1 < k < t h z e {i, 1,..., n}} 
u {(fiA,Wi[k],z, f^ +1 ) | 1 < i < n,l < k< rrn,z e {l,l,...,n}} 
u {(gf ,z,Vi[ti],z,q s ) \ 1 < i < n, z e {l, 1,... ,n}} 
u {(.fr i A,Wi[' r ni], z Js) 11 < * < n ,2 e {i, 1,... ,n} 
u {(q s ,z,c,zx,ql) \ z e {i, 1,..., n}, x e {1,..., n}} 
u {(f a ,z,c,zx,f*) | z e {l, 1,... ,n},a; e {1,...,n}} 
u {( q s ,x,x,e,q e ) | x e {1,..., n}} 
u {(f s ,x,x,e, f e ) | x e {l,...,n}} 
u {(q e ,x,x,£,q e ) | xt {l,...,n}} 
u {(f e ,x,x,e, f e ) | a: e { 1 ,... ,n}}. 
h P assigns arbitrary positive probabilities to transitions in (5. 

We further consider the POpPDA (A, £ 0 , V) with £ 0 = £ \ {c, u, f}, and the masking function 
satisfies V(u) = V(c) = P(f) = e and V(x) = x for any other event x. This POpPDA is 
represented in Figure 11. 


J-Oj ^ J-o 


J-Oj t], lo 



Figure 11 A POpPDA for the proof of Theorem 24. 


Let us prove that the instance of the PCP is positive if and only if the POpPDA is IF-, 
I A- and FA-diagnosable. 
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Assume first that there exists a solution i\,...,i k to the PCP instance (n, {«,},<„, { Wi}i< n ). 
Consider the faulty run: 

Pf = 9of/ S (c(/f. Wi . b])p<m,. fs)j<k{ijfe)j<k{\\ fe) > 
and the correct run: 

Pc = qoms(c{qi.v i:j [p]) p < ei .q s ) j < k (i j q e ) j < k (^q e ) u . 

These two runs have the same observed sequence: V{pf) = V{p c ) = wi\ .. .ik\\ u with w = 
Wi 1 ... Wi k = Vi 1 ... Vi k . Therefore, pf is an infinite ambiguous faulty run. Given that 
P (pf) > 0, we deduce that the POpPDA (A,T, 0l V) is not IF-diagnosable. From Theorem 4, 
it is also neither lA-diagnosable nor FA-diagnosable. 

Conversely, assume that the PCP instance (n, {uj}j<„, {«;*},<„) has no solution. 

Independently of that, observe that \\ almost surely occurs in an infinite run of the pPDA 
A. Thus, for any e > 0, there exists N € N such that the measure of signalling runs with 
observable length N that reach configurations (g e , J-o) or {fe, J-o) by an event \\ is at least 
1 — e. Consider a correct run p c with observable length N ending in ( q e , ±o) and with an 
occurrence of t]. Its observed sequence is of the form v i 1 ... Vi k i\. .. i k \\ m for some ii, . .., i k ,m. 
Due to the fact that (n, {uj},;< n , {wi}i< n ) has no solution, no faulty run can have the same 
observed sequence. Therefore, p c is surely correct. Symmetrically, any faulty run ending in 
{f e , lo) by an occurrence of \\ is surely faulty. We thus conclude that, for any e > 0, there 
exists N e N such that P(FAmbjv m CAmbjv) < £■ As a consequence, the POpPDA {A, ’E 0 ,'P) 
is FA-diagnosable. By Theorem 4 it is also lA-diagnosable and IF-diagnosable. « 



